Signature Detail
Short Name |
HTTP:SQL:INJ:WORDPRESS-ID |
|---|---|
Severity |
High |
Recommended |
Yes |
Recommended Action |
Drop |
Category |
HTTP |
Keywords |
WordPress Generic "ID" Parameter SQL Injection |
Release Date |
2011/09/01 |
Update Number |
1984 |
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+ |
HTTP: WordPress Generic "ID" Parameter SQL Injection
This signature covers numerous vulnerabilities in WordPress Add-on Modules. Most modules are made by third-party groups that fail to protect against SQL injection. The WordPress "ID" parameter is a common target. This signature detects typical SQL commands sent to an ID parameter of a WordPress enabled website.
Extended Description
The WP Bannerize plug-in for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. WP Bannerize versions 2.8.6 and prior are vulnerable.
Affected Products
- WordPress WP Bannerize 2.8.6
References
- BugTraq: 49401
- CVE: CVE-2009-0968
- CVE: CVE-2008-1646
- CVE: CVE-2008-2510
- CVE: CVE-2008-2034
- CVE: CVE-2008-0507
- CVE: CVE-2008-0490
- CVE: CVE-2007-1897
- URL: http://wordpress.org/